I have been selected as the General Area Review Team (Gen-ART) reviewer for this draft (for background on Gen-ART, please see http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html).
Please resolve these comments along with any other Last Call comments you may receive. Document: draft-ietf-mip6-cn-ipsec-05 Reviewer: Christian Vogt Review Date: September 10, 2007 IETF LC End Date: September 9, 2007 IESG Telechat date: -- Summary: Ready with nits. Comments: An important requirement for IPsec-based protection of Mobile IPv6 route optimization is that the IPsec security associations are bound to the mobile node's home address. A malicious mobile node could otherwise misuse its own security association for impersonating the home address of a different mobile node. The draft ensures this requirement in section 3 by saying that... > - the Traffic Selectors MUST match exclusively the Home Address of > the Mobile Node and an address of the Correspondent Node (the > address used for communication between peers). Yet the importance of this requirement, as well as its reason and effect, is unlikely to become clear to the non-expert reader. I would recommend adding a section in the Security Considerations sections elaborating on this. Three nits in addition: - Abstract: > This document defines how IPsec can be used > between the Mobile Node and Correspondent Nodes for Home Address > Option validation (aka. triangular routing) and protection of > mobility signaling for Route Optimization. The phrase "aka. triangular routing" is out of context here. Just drop it. - Section 1: "This document defines an alternative mechanism" --> "...an alternative mechanism for Mobile IPv6 route optimization" - Section 3: "anti-replay services MUST be selected" --> "...MUST be enabled" Best regards, - Christian _______________________________________________ Gen-art mailing list [email protected] https://www1.ietf.org/mailman/listinfo/gen-art
